MAILGUARD HELP DESK: Stacking MailGuard with Office 365

1

Stacking MailGuard with Office 365 MailGuard can be easily stacked on top of Office 365 to make the most out of their email hosting functionality, as well as MailGuard's superior email security. If you are using Office 365 Enterprise level (or have Exchange Admin Center - EAC) you should be able to customise or create the Inbound and Outbound connectors to receive and route mail via MailGuard's servers. Please check with your Office 365 Administrator before proceeding to ensure the standard instructions below are appropriate for your instance of Office 365. There may be customisations made to your Office 365 environment which our standard instructions do not accommodate.

Inbound IMPORTANT: It is important that you consider whether all domains hosted within the Office 365 environment are to be protected by MailGuard in the same account or not. If there are domains which are in your Office 365 tenant, but are not part of your MailGuard account, they will not be fully secured against a direct attack. To ensure that every domain in the Office 365 environment is protected, you will need to add them into the MailGuard account. Before you proceed with stacking MailGuard and Office 365, please have all domains added to your MailGuard account via your supporting Partner or MailGuard Support. For inbound configuration, because MailGuard is to be the primary email security provider, you need to configure the MX records for each domain to point to the MailGuard servers, as per the MX configuration requirements in the Domains page in the MailGuard Console. It is essential when setting up the inbound connection to ensure that the TTL (Time To Live) values for the domain’s MX records have fully expired (propagated) to ensure that mail flow from the rest of the Internet is coming through to MailGuard first. This will need to be done before adding the Inbound Connector (Page 2), as the Inbound Connector will set up Office 365 to only accept email from MailGuard’s servers and if the TTL’s have not fully run their course, email may still go through to the Office 365 environment and may be rejected. The second step is to have the destination server (the place where MailGuard delivers clean emails to) point towards the Office 365 MX record. This allows emails to reach MailGuard first for primary filtering, and then MailGuard pass on the clean emails to your Office 365 account. You will be able to find this in your Office 365 Admin center (go to Admin, click Setup on the left-hand side, then click on Domains. Select your domain and then in the popup screen select Exchange Online. You will need to get the MX record that looks similar to this – example-com-au.mail.protection.outlook.com).

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

2

Please check the MailGuard Console (Configuration – MailGuard – Domains) to see if the destination server for your domain is correct, alternatively please see your Welcome to MailGuard email to confirm.

If unsure please contact the MailGuard Service Desk on 1300 30 65 10 to have this updated to the Office 365 MX record, if this has not been done so already. To configure the Inbound Connector in the Exchange Admin Center, refer to the following steps:

1. Go to the Exchange Admin Center • Go to the App Launcher in the top left of the Office 365 Admin Center • Find the Admin button in the list of Office 365 apps • Under Admin centers on the left-hand side, find Exchange.

2. Select Mail Flow on the left-hand side and then click on Connectors.

3. Click on the + icon under Connectors to create a new connector.

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

3

4. To create a new Inbound Connector, select Partner organization in the From: drop-down menu. Then select Office 365 in the To: drop-down menu.

5. Give the connector a name and ensure that the Turn it on box is ticked, and then click Next.

6. Select Use the sender’s domain to identify the Partner organization, and then click Next.

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

4

7. Click on the + icon to add a domain and enter * to identify as a wildcard to match all sender domains and then click OK. • It is important to have the wildcard * as this will target all emails coming through to Office 365.

a)

b)

c)

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

5

8. Select Reject email messages if they aren’t sent over TLS Note: MailGuard will always use TLS encryption where it is possible to do so.

a) Tick the box Reject email messages if they aren’t sent from within this IP address range to enforce the Access Control List – this forces all email to be filtered through MailGuard.

b) Click on the + icon under Reject email messages if they aren’t sent from within this IP address range and add the MailGuard Relay servers (one at a time) that will connect to the online Exchange to deliver the filtered emails. Please take care when adding the IP addresses, as a single mistake can cause mail flow issues.

List of Relay servers to add:

50.23.246.238/32 50.23.252.166/32

108.168.255.216/32 108.168.255.217/32

203.21.125.32/32 203.21.125.33/32

Once all the Relay servers have been added, click Next.

9. Confirm the Connector settings and if everything is okay, click Save.

• Ensure that the Status for this Connector is set to On, otherwise the rules above will not actually be applied.

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

6

Recommended additional steps

When using MailGuard as your Email Security Provider in front of Office 365, it is recommended to whitelist MailGuard within the Exchange Online Protection (EOP) system within Office 365 to ensure delivery of email from MailGuard to your users.

EOP Spam Filtering can be adjusted by setting up a rule under the rules menu in the 'mail flow' section. You may wish to whitelist alerts@bounces.mailguard.com.au as the sender email address of the MailGuard Alert Digests which your end users may (if configured) receive from MailGuard.

These digest alerts often contain spam content (subjects and domains) which EOP may interpret as junk and file away in the junk folder. Adding the address above as a bypass address will prevent this from happening. Please consult your Office 365 Administrator before making configuration changes to ensure that the guidelines above are appropriate for your instance.

Important: click on the More options… button near the bottom before you start

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

7

• Create a name for the rule – i.e. alerts@bounces.mailguard.com.au bypass rule.

• Select The sender and then address matches any of these text patterns from the drop-down box under

*Apply this rule if, then: o Click on *Enter text patterns o From here you will need to enter alerts@bounces.mailguard.com.au into the popup screen,

click on the + button to add the email address, and then click OK.

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

8

• Under *Do the following… in the drop-down box, select Modify the messages properties and then set the spam confidence level (SCL).

• A pop-up will appear asking you to specify SCL. Select Bypass spam filtering and click OK.

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

9

• Under Choose a mode for this rule, select Enforce o Ensure that Stop processing more rules is ticked, and o That Match sender address in message has been set to Header or envelope

• Now click Save to save this new rule o After this rule has been saved, you will be able to adjust the priority of the new rule in the

Exchange Admin Center. You will be able to move the rules up and down using the arrow buttons (highlighted in red).

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

10

Outbound Routing your Outbound email via MailGuard allows you to have the same reporting and security for your outbound emails. Please see the next few steps that are required to send outbound emails through MailGuard. First, the Office 365 Subnet's have to added to your account's Trusted Networks. This is an essential step, otherwise mail flow issues will occur where MailGuard will bounce mail coming from your Office 365 account.

• You will be able to do this yourself via the MailGuard Console: o Configure – MailGuard – Domains – Trust Office365 Networks If you experience any issues, please contact MailGuard Support on 1300 306 510.

These Office 365 Subnet’s are added so that MailGuard knows to accept emails that we see from your domain originating from the Office 365 infrastructure and treat it as legitimate outbound email traffic from your company.

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

11

Once you have had Office 365 Trusted Networks added to your MailGuard account, you can edit or modify the Send connector, depending on your customised deployment. (SPF Check) Before configuring outbound relaying via MailGuard - you should check to see if the domain has an SPF record published. For a simple lookup tool see https://dmarcian.com/spf-survey/ or https://www.kitterman.com/spf/validate.html. To configure your SPF Record, see the MailGuard Help Center article How to setup an SPF record. Be sure to keep any Office 365 inclusions in your record, and simply add the one for MailGuard (detailed in that Help Center link). Note: An SPF record for a domain which has MailGuard stacked on top of Office 365 would need to include at a minimum the below entries:

"v=spf1 include:spf.protection.outlook.com include:customer.mailguard.com.au ~all"

More may be required depending on which other systems the domain uses (Eg: MailChimp, Salesforce, Amazon, Azure, etc.). Refer to the Help Center article How to setup an SPF record for more information. To configure the outbound connector in the Exchange Admin Center you may refer to the following steps: 1. Go to the Exchange Admin Center.

2. Select the mail flow option on the left-hand side menu and then click Connectors.

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

12

3. Click the + icon under Connectors to create a new connector.

4. To specify a new Outbound Connector, Select Office 365 in the From: drop-down menu, then select Partner organization from the To: drop-down menu and click Next.

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

13

5. Give the connector a name, e.g. MailGuard Send Connector and click Next.

6. Select Only when email messages are sent to these domains and specify * under the Recipient Domains section to apply this connector to all emails that are sent from your Office 365 account and click Next.

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

14

7. Select Route email through these smart hosts and click the + symbol to add your unique MailGuard Outgoing Server address (The smarthost address), then click Next.

Sample only: filter.XXXXXX-N.mailguard.com.au

8. Use the default Connection Security. Ensure Always use Transport Layer Security (TLS) to secure the connection and Issued by a trusted certificate authority (CA) are selected.

Click Next and confirm your Outbound Connector settings and then click Next again

MAILGUARD HELP DESK: Stacking MailGuard with Office 365

15

9. Click the + icon and enter a non-Office 365 address to be used to validate the Outbound Connector.

Click Validate.

10. If successful, click Close to finish setting up the Outbound Connector.

Please ensure you send a few test emails both Inbound and Outbound, to ensure that your email delivery is successfully routing via MailGuard, To and From Office 365.

Contact MailGuard If you need any assistance, please feel free to contact the MailGuard Service Desk via email on support@mailguard.com.au or by calling on 1300 30 65 10.